Bring Your Own Device: Beware the Hype, Stay Secure

As a young salesman based in Edmonton, Alberta, I called on Syncrude in Fort McMurray. There were outrageous stories that flew around about the construction and early operations of this megaproject. Many of those, I am sure, urban legends. This one I picked up on the inside so I am somewhat biased as to its authenticity.

At the end of a shift one day an employee was seen pushing a wheelbarrow of sand, a plentiful byproduct of the tar sand extraction process, out a gate. At the time Syncrude was already producing tens of thousands of barrels of oil a day, so as you can imagine they end up with a lot of sand. Security assumed he was doing a little landscaping and let him walk by numerous times with hardly a question.

Problem was he wasn't taking sand. He was stealing wheelbarrows. It was a different wheelbarrow every time. Everyone assumed he was just borrowing the wheelbarrow to haul the sand. After all, who would be audacious enough to walk right past security stealing a wheelbarrow, with only a lame story about needing the sand as your cover?

BYOD or Bring Your Own Device, this growing phenomenon that allows employees, even encourages them, to bring their own connected devices to the workplace reminds me of this story.

I get why BYOD is attractive. We are in a wildly progressive stage of mobile device deployment. According to the GSMA, a global association of more than 800 mobile communications operators, there are now more than six-billion mobile connected devices on the planet. That number is expected to double by 2020. I know it can be difficult for companies, large or small, to keep up with the onslaught. Staff wants to use the devices they are excited about, and their employers are happy to download the capital expense. Companies divest the problem of not being able to keep up with the latest and greatest technology their staff wants to brandish. Candidly, and I hate to rain on the parade, it sometimes seems like a bit of surrender.

Organizations need to be careful about the implementation of BYOD and the reasons for allowing it. Data already indicates the money savings are somewhat mythical; costs increase from IT having to support a greater variety of devices, productivity gains can be offset by the constant distraction from personal apps, and security breaches in BYOD companies are on the rise. As well, asking a user to figure out whether he should or should not have a Java plug-in enabled on a web browser is a distraction you may not want him to have.

At the least we should match this fundamental change in how we work with equally progressive management techniques. Organizations should employ an MDM (mobile device management) strategy or expertise in the IT industry at a speed and intensity similar to the penetration of the staff-owned devices. Most of the time, though, staff's efficiency for acquiring new devices surpasses management's empowerment of IT to keep up, in-house or outsource, to make this explosion of personal IT deployment, well, not an explosion.

But beyond just managing the variety of devices popping up around the organization, even in a controlled manner through proper MDM, I still think about that Syncrude employee fooling security by covering his tracks with something the company deemed worthless. If both the sand and the wheelbarrow were valued it would have been immediately clear something was being stolen. As we devalue devices in the information management equation, we make it less clear that what is on them is of great value, and who owns it. And the opportunity for undetected insider data theft takes a quantum leap ahead when an employee knows more than the company does about the device he is using to steal information. She may also feel less obligated to protect or return the data on her device, in spite of policy, as it is, after all, her device...

Of course the best solution is the reserve of those elite thinking companies who have figured out that some of the most competitive weapons of the 21st century are mobile devices. Rather than count the pennies saved from trying to pass down that relatively minor capital expense to their most expensive assets, their people, and then play a strange game of corporate roulette around data ownership and security risks, they take a different route.

First, they employ directly and indirectly the best, most progressive IT professionals they can find. People who know more about leading edge devices and how to get the most out of those devices than the staff they serve. They look hard and compete to get these people because they know that these IT Pros end up being the biggest productivity enablers in the business. Next they facilitate orders of magnitude of improved productivity and employee satisfaction by funding a respectable IT spend to acquire an assortment of the absolute sexiest, kick-ass, cool new technologies to be found. They cleverly integrate, secure and support it all, then go look for the next leading edge stuff to delight, and improve staff efficiency all over again.